User authentication fails when there are white spaces in between the PAM stack.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux

Issue

  • Authentication fails due to white space in pam configuration file and throws an error :
PAM unable to dlopen(/usr/lib64/security/pam_modulexxx.so#015)

Resolution

  • Review the PAM stack and remove the white spaces from the affected PAM configuration file.

Example :

  • From the /etc/pam.d/sshd file we could see that there is a whitespace after each line :
$ cat -vet /etc/pam.d/sshd
###############^M$
#%PAM-1.0^M$
auth^Isufficient^Ipam_permit.so^M$
auth       substack     password-auth^M$
auth       include      postlogin^M$
account    required     pam_sepermit.so^M$
account    required     pam_nologin.so^M$
account    include      password-auth^M$
password   include      password-auth^M$
# pam_selinux.so close should be the first session rule^M$
session    required     pam_selinux.so close^M$
session    required     pam_loginuid.so^M$
# pam_selinux.so open should only be followed by sessions to be executed in the user context^M$
session    required     pam_selinux.so open env_params^M$
session    required     pam_namespace.so^M$
session    optional     pam_keyinit.so force revoke^M$
session    optional     pam_motd.so^M$
session    include      password-auth^M$
session    include      postlogin^M$
###############
  • Modify it accordingly and should be like below :
$ cat -vet /etc/pam.d/sshd
###############
#%PAM-1.0
auth       sufficient   pam_permit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin
###############

Diagnostic Steps

  • When we look at the /var/log/secure with corresponding PID of the ssh attempt, we could observe that "PAM unable to dlopen"
Jun  3 02:01:46 testserver sshd[12035]: PAM unable to dlopen(/usr/lib64/security/pam_permit.so#015): /usr/lib64/security/pam_permit.so#015: cannot open shared object file: No such file or directory
Jun  3 02:01:46 testserver sshd[12035]: PAM adding faulty module: /usr/lib64/security/pam_permit.so
Jun  3 02:01:46 testserver sshd[12035]: PAM _pam_load_conf_file: unable to open config for password-auth
Jun  3 02:01:46 testserver sshd[12035]: PAM _pam_load_conf_file: unable to open config for postlogin
Jun  3 02:01:46 testserver sshd[12035]: PAM unable to dlopen(/usr/lib64/security/pam_sepermit.so#015): /usr/lib64/security/pam_sepermit.so#015: cannot open shared object file: No such file or directory
Jun  3 02:01:46 testserver sshd[12035]: PAM adding faulty module: /usr/lib64/security/pam_sepermit.so
Jun  3 02:01:46 testserver sshd[12035]: PAM unable to dlopen(/usr/lib64/security/pam_nologin.so#015): /usr/lib64/security/pam_nologin.so#015: cannot open shared object file: No such file or directory
Jun  3 02:01:46 testserver sshd[12035]: PAM adding faulty module: /usr/lib64/security/pam_nologin.so
Jun  3 02:01:46 testserver sshd[12035]: PAM _pam_load_conf_file: unable to open config for password-auth
Jun  3 02:01:46 testserver sshd[12035]: PAM _pam_load_conf_file: unable to open config for password-auth
Jun  3 02:01:46 testserver sshd[12035]: PAM unable to dlopen(/usr/lib64/security/pam_loginuid.so#015): /usr/lib64/security/pam_loginuid.so#015: cannot open shared object file: No such file or directory
Jun  3 02:01:46 testserver sshd[12035]: PAM adding faulty module: /usr/lib64/security/pam_loginuid.so
Jun  3 02:01:46 testserver sshd[12035]: PAM unable to dlopen(/usr/lib64/security/pam_namespace.so#015): /usr/lib64/security/pam_namespace.so#015: cannot open shared object file: No such file or directory
Jun  3 02:01:46 testserver sshd[12035]: PAM adding faulty module: /usr/lib64/security/pam_namespace.so
Jun  3 02:01:46 testserver sshd[12035]: PAM unable to dlopen(/usr/lib64/security/pam_motd.so#015): /usr/lib64/security/pam_motd.so#015: cannot open shared object file: No such file or directory
Jun  3 02:01:46 testserver sshd[12035]: PAM adding faulty module: /usr/lib64/security/pam_motd.so
Jun  3 02:01:46 testserver sshd[12035]: PAM _pam_load_conf_file: unable to open config for password-auth
Jun  3 02:01:46 testserver sshd[12035]: PAM _pam_load_conf_file: unable to open config for postlogin
Jun  3 02:01:46 testserver sshd[12035]: Failed password for testuser from xx.xx.xx.xx port 53836 ssh2
Jun  3 02:01:46 testserver sshd[12035]: Connection reset by authenticating user testuser xx.xx.xx.xx port 53836 [preauth]
  • Component
  • pam

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments